Example methods and systems are directed to reducing latency in providing trusted execution environments (TEEs). Initializing a TEE includes multiple steps before the TEE starts executing. Besides workload-specific initialization, workload-independent initialization is performed, such as adding memory to the TEE. In function-as-a-service (FaaS) environments, a large portion of the TEE is workload-independent, and thus can be performed prior to receiving the workload. Certain steps performed during TEE initialization are identical for certain classes of workloads. Thus, the common parts of the TEE initialization sequence may be performed before the TEE is requested. When a TEE is requested for a workload in the class and the parts to specialize the TEE for its particular purpose are known, the final steps to initialize the TEE are performed.

The disclosed technology relates to a system configured to detect a modification to a node in a tree data structure. The node is associated with a content item managed by a content management service as well as a filename. The system may append the filename and a separator to a filename array, determine a location of the filename in the filename array, and store the location of the filename in the node.

In an embodiment a method for managing access rights of software tasks executed by a processing unit (CPU) using a cache memory containing execution data of the tasks in memory locations, each execution data having an attribute representative of a level of access right of the respective task, includes changing the attributes of the locations of the cache memory when the access rights of at least one task changes and retaining the execution data contained in the locations of the cache memory.

Systems and methods for memory management for virtual machines. An example method may comprise running, by a host computer system, a Level 0 hypervisor managing a Level 1 virtual machine running a Level 1 hypervisor which manages a Level 2 virtual machine. The Level 1 hypervisor may detecting execution of an operation that prevents modification to a set of entries in a Level 2 page table and generate a shadow page table where each shadow page table entry of the plurality of shadow page table entries maps a Level 2 guest virtual address of a Level 2 address space associated with the Level 2 virtual machine to a corresponding Level 1 guest physical address of a Level 1 address space associated with the Level 1 virtual machine. The Level 0 hypervisor may generate a Level 0 page table.

An apparatus includes a cache controller circuit and a cache memory circuit that further includes cache memory having a plurality of cache lines. The cache controller circuit may be configured to receive a request to reallocate a portion of the cache memory circuit that is currently in use. This request may identify an address region corresponding to one or more of the cache lines. The cache controller circuit may be further configured, in response to the request, to convert the one or more cache lines to directly-addressable, random-access memory (RAM) by excluding the one or more cache lines from cache operations.

A security level tagging process to enable a user to associate a security level descriptor with a file, or a namespace directory where files and subdirectories inherit the security level descriptor from a parent directory. A parser can be used to automatically set a security level descriptor based on the contents of the file and/or attributes of files, or an administrator can associate a security level to a storage tier in the file system so that files are placed on the storage tiers with the matching security level as the file security level descriptor. The placement of the file on a storage tier depends on the data security level descriptor of the file and the security level of the storage so that files are placed on tiers where security level associated with the tier is greater than or equal to data security level of the file. Files can be migrated among storage tiers as their security levels may change.

Examples of the present disclosure describe systems and methods for sharing memory using a multi-ring shared, traversable and dynamic database. In aspects, the database may be synchronized and shared between multiple processes and/or operation mode protection rings of a system. The database may also be persisted to enable the management of information between hardware reboots and application sessions. The information stored in the database may be view independent, traversable, and resizable from various component views of the database. In some aspects, an event processor is additionally described. The event processor may use the database to allocate memory chunks of a shared heap to components/processes in one or more protection modes of the operating system.

Aspects of the invention include loading an image of a virtual server onto a boot partition of a trusted execution environment (TEE), wherein a first key is embedded in the image. A second key is received from an end customer of an application. Data is received from an independent software vendor (ISV) of the application, wherein the data includes a third key. The second key and the third key are combined inside the TEE to create a fourth key. An available memory space in an independent memory device is encrypted using the fourth key to create a secure data volume. Encrypted data is stored in the secure data volume.

A processor receives, from a requestor, a first request containing a virtual address. Based on the first request, the processor determines a real address corresponding to the virtual address, encrypts at least a portion of the real address to obtain a cryptographic secure real address, and returns the cryptographic secure real address to the requestor. Based on receiving a second request specifying a request address, the processor decrypts the request address to validate the request address as the cryptographic secure real address. Based on validating the request address as the cryptographic secure real address, the processor allows access to a resource of the data processing system identified by the real address.

Methods and systems are described that secure application data being maintained in transient data buffers that are located in a memory that is freely accessible to other components, regardless as to whether those components have permission to access the application data. The system includes an application processor, a memory having a portion configured as a transient data buffer, a hardware unit, and a secure processor. The hardware unit accesses the transient data buffer during execution of an application at the application processor. The secure processor is configured to manage encryption of the transient data buffer as part of giving the hardware unit access to the transient data buffer.